Trademark Logo Xalan XSL Transformer User's Guide
Release Notes
Apache Foundation Xalan Project Xerces Project Web Consortium Oasis Open

Release Notes


Release notes for Xalan-Java 2.7.3

Xalan-Java 2.7.3 was released in April 2023.


Java 8 requirement

This XalanJ release, requires users to use Java minimum version 8 for working with XalanJ.

Fix for CVE-2022-34169 An integer truncation issue when processing malicious XSLT stylesheets

This issue was fixed within XalanJ's XSLTC processor. This XalanJ issue, when present causes following problems: Malicious XSLT stylesheets may be written, which could result in XalanJ invalid translet Java byte code to be produced by XalanJ XSLTC processor. The XalanJ translet is a Java byte code compiled representation, of an XSLT transformation.

Upgrade to Apache Commons BCEL 6.7.0

This XalanJ release, contains upgraded version of Apache Commons BCEL library. [Gary Gregory]

Enhancements for, performing XalanJ build and running of XalanJ tests from source distribution

The XalanJ users, can now make XalanJ builds and perform XalanJ tests from the XalanJ source distribution. The XalanJ build scripts for the implementation and the tests, both for the Windows and Linux platforms, were enhanced to support building XalanJ with JDK 1.8. [Gary Gregory, Joseph Kessselman, Mukul Gandhi]

Upgrade to Xerces-J 2.12.2

This XalanJ release, contains upgraded versions of xercesImpl.jar and xml-apis.jar (Xerces-J 2.12.2).

XALANJ Jira bug fixes

2638, 2623, 2607, 2601, 2600, 2584, 2346


Release notes for Xalan-Java 2.7.2

Xalan-Java 2.7.2 was released in April 2014.


Fix for CVE-2014-0107 insufficient secure processing

When using FEATURE_SECURE_PROCESSING ("http://javax.xml.XMLConstants/feature/secure-processing") on a TransformerFactory, the output properties:

should be ignored (see

These properties can be used to load an arbitrary class or access an arbitrary URL/resource so are problematic when secure processing is desired.

<xsl:output xalan:content-handler="org.example.BadClass" ...

<xsl:output xalan:entities="" ...

These features could be used to load a class that had undesirable side-effects or to load a large file and exhaust memory, etc.

See XALANJ-2435.


Upgrade to Xerces-J 2.11.0 and XML Commons External 1.4.01

The distributions contain upgraded versions of xercesImpl.jar (Xerces-J 2.11.0) and xml-apis.jar (XML Commons External 1.4.01).


XALANJ Jira bug fixes

XALANJ Jira bug fixes: 2435, 2580, 2546, 2581, 2582, 2583, 2473, 2495, 2493, 2424, 2446, 2447

You can also view the list in Jira


Release notes for Xalan-Java 2.7.1

Xalan-Java 2.7.1 was released in August 2007.

The serializer now has support for DOM Level 3 serialization (LSSerializer) for an XML parser. These changes are seen in the new class org.apache.xml.serializer.DOM3Serializer and the new package org.apache.xml.serializer.dom3 as well as a new method, asDOM3Serializer() on the older org.apache.xml.serializer.Serializer interface.

More details are in the javadoc of those classes and interfaces.

The distributions contain upgraded versions of xercesImpl.jar (Xerces-J 2.9.0) and xml-apis.jar (XML Commons External 1.3.04). The distributions were tested with these versions of Xerces-J and XML Commons External and are the recommended versions to use with the release.

Important: You may experience unpredictable anomalies if your Xalan-Java and Xerces-Java builds are not in synch.

Xalan-Java 2.7.1 contains the following functional enhancements, performance enhancements and bug fixes since 2.7.0:


Release notes for Xalan-Java 2.7.0

Xalan-Java 2.7.0 was released on August 8, 2005.

Xalan-Java 2.7.0 contains the following functional enhancements, performance enhancements and bug fixes since 2.6.0.

Support for JAXP 1.3

Support for JAXP 1.3 has been introduced in this release of Xalan-Java. JAXP 1.3 includes a new javax.xml.xpath package, which provides an object-model neutral API for the evaluation of XPath expressions and access to the evaluation environment. Please refer to Using the JAXP 1.3 XPath API for details on how to use the new XPath API. You can also look at the code in the samples ApplyXPathJAXP , XPathResolver and ExtensionFunctionResolver.

There are also a few new transformer features in JAXP 1.3, as described in the following list:

  • A new method TransformerFactory.setFeature(String name, boolean value)
  • A new method Transformer.reset()
  • A new nextSibling attribute is introduced for DOMResult, accessible by the constructors, getter and setter methods.
  • Support for the secure processing feature
  • New default error handling behavior
    The behavior of the default ErrorListener was changed in this release of Xalan-Java, in order to conform with a clarification of the required behavior described by JAXP 1.3. If an application does not register its own ErrorListener, the default ErrorListener is used which reports all warnings and errors to System.err and does not throw any Exceptions. Applications are strongly encouraged to register and use ErrorListeners that insure proper behavior for warnings and errors. The default ErrorListener of the old Xalan-Java Interpretive processor throws exceptions on errors and fatal errors. If your code expects exceptions to be thrown on errors and fatal errors, you have to set a customized ErrorListener on TransformerFactory and/or Transformer. You can use org.apache.xml.utils.DefaultErrorHandler as a sample ErrorListener implementation.
    Support for XML 1.1

    This release of Xalan-Java adds support for Namespaces in XML 1.1 and XML 1.1 output documents. The processors:

  • support C0 control characters
  • handle C1 control characters in a way that is consistent with the requirements of XML 1.1
  • treat NEL (U+0085) and LSEP (U+2028) as end-of-line markers
  • support Internationalized Resource Identifiers (IRIs)
  • support the additional characters in NCNames and QNames permitted by XML 1.1 and Namespaces in XML 1.1
  • The processors do not undeclare namespaces other than the default namespace in serialized documents Also, Full normalization is not supported.

    An input document can be either XML 1.0 or XML 1.1. Also, a stylesheet document can be either XML 1.0 or XML 1.1. A stylesheet document must conform to the XSLT 1.0 specifications.

    Note that it is possible for a stylesheet module that is an XML 1.1 document to use constructs that cannot be serialized as part of a valid XML 1.0 document, and for a stylesheet module that is an XML 1.0 document to use constructs that cannot be serialized as part of a valid XML 1.1 document. For example, a stylesheet module that is an XML 1.1 document might contain a literal result element whose name contains characters that are not permitted as part of a QName in a document that conforms to Namespaces for XML 1.0. The user needs to ensure that the nodes created by the stylesheet can be serialized as part of a well-formed document of the required version of XML.

    Support for Alternative BSF Implementations

    Extensions written in Java are directly supported by Xalan-Java. For extensions written in languages other than Java, Xalan-Java uses the Bean Scripting Framework (BSF), an architecture for incorporating scripting into Java applications and applets, and an implementation of BSF must be available on the classpath. In previous releases, IBM's BSF implementation (bsf.jar from 2001) has been included in the Xalan-Java distribution. Some time ago IBM donated their BSF implementation to the Apache Jakarta BSF project. As of this release, the IBM bsf.jar is no longer included in the Xalan-Java distribution. To use extensions written in languages other than Java, please download a version of Jakarta BSF and put it on your classpath. To use a different BSF implementation, please refer to setting the BSFManager.

    New serializer.jar

    In this release of Xalan-Java the code related to serialization of output result trees has been pulled out of xalan.jar and moved into a new jar file, named serializer.jar.

    The code in serializer.jar has been modified to have no build or runtime dependencies on the rest of the code in Xalan-Java, therefore, serializer.jar can be used in a stand-alone fashion through its public APIs. Although the code has been modified to create a stand-alone jar, the serializer public APIs have not changed and the package names and classnames are the same as they were last release.

    Also the following:


    Release notes for Xalan-Java 2.6.0

    Xalan-Java 2.6.0 was released on February 29, 2004 (a leap year!).

    Xalan-Java 2.6.0 contains the following functional enhancements, performance enhancements and bug fixes since 2.5.2:


    Release notes for Xalan-Java 2.5.2

    Xalan-Java 2.5.2 was released on October 30, 2003.

    Xalan-Java 2.5.2 contains bug fixes and performance enhancements since 2.5.1.

    Fixes in this release include the following:


    Release notes for Xalan-Java 2.5.1

    Xalan-Java 2.5.1 was released on June 3, 2003.

    Xalan-Java 2.5.1 contains bug fixes and performance enhancements since 2.5.0.

    Fixes in this release include the following:


    Release notes for Xalan-Java 2.5.0

    Xalan-Java 2.5.0 was released on April 16,2003.

    Xalan-Java 2.5.0 contains a variety of features, bug fixes and performance enhancements since 2.5.D1.

    New features in Xalan-Java 2.5.0 include:

    These features have been driven by a need to get common behavior, improve maintainability, reduce duplication of effort for future work, and in some cases improve performance and conformance.

    Refer to What's New for a description of the new function and History of software changes for a list of the various bug fixes and other enhancements in this release.


    Release notes for Xalan-Java 2.5.D1

    Xalan-Java 2.5.D1 was released on March 3, 2003.

    This developer's release, Xalan-Java 2.5.D1, has changes since 2.4.1 and is primarily for the purpose of releasing various bug fixes to the community. These will eventually be released officially in a future Xalan-Java 2.5 version, along with some new function.

    Fixes in this release include the following:


    Release notes for Xalan-Java 2.4.1

    Xalan-Java 2.4.1 was released on October 31, 2002 (Halloween!).


    Release notes for Xalan-Java 2.4.0

    Xalan-Java 2.4.0 was released on September 3, 2002.


    Other points of interest